CVE-2026-44001

Summary : CVE-2026-44001 affects vm2 before version 3.11.0, where a sandbox escape allows sandboxed code to crash the host Node.js process via an unhandled rejection from a Promise executor. The issue stems from the executor path not being sanitized, even though the earlier CVE-2026-22709 fix add...

CVE-2026-43999 vm2: NodeVM builtin allowlist bypass via `module` builtin's `Module._load` allows sandbox escape

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, NodeVM's builtin allowlist can be bypassed when the module builtin is allowed including via the '' wildcard. The module builtin exposes Node's Module.load, which loads any module by name directly in the host context, completely...

CVE-2026-43997

CVE-2026-43997 affects the vm2 sandbox for Node.js. The vuln enables an attacker to obtain the host Object and escape the sandbox, potentially leading to arbitrary code execution (RCE). Affected versions were

DRUPAL-CONTRIB-2026-034

Node view permissions module enables permissions "View own content" and "View any content" for each content type on permissions page The module doesn't sufficiently handle the case where a user is cancelled and their content is reassigned to the anonymous user. This vulnerability is mitigated by...

CVE-2026-44578

CVE-2026-44578 affects Next.js self-hosted deployments using the built-in Node.js server. The issue enables server-side request forgery via crafted WebSocket upgrade requests, allowing an attacker to proxy requests to internal or external destinations and potentially expose internal services or c...

Malicious code in chia-network (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis c7439a1ad4a50c3852597bd31aaf7a3f15c53c2cb9f124b9b350e55517b5f592 The OpenSSF Package Analysis project identified 'chia-network' @ 1.0.0 npm as malicious. It is considered malicious because: - The package...

TeamPCP Used Mini Shai-Hulud Worm to Poison Over 400 npm and PyPI Packages

Research reveals that TeamPCP hijacked OIDC tokens to poison hundreds of TanStack, Mistral AI, and UiPath packages with the self-propagating Mini Shai-Hulud worm...

Malicious code in load-bufferjs (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 04d9f5ba202651d252a375411cf609db6f9a7ae83f164f6f2e66559a6dff5b92 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious Package

Overview buffer-export is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

MAL-2026-3658 Malicious code in load-bufferjs (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 04d9f5ba202651d252a375411cf609db6f9a7ae83f164f6f2e66559a6dff5b92 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-3657 Malicious code in chai-as-streamed (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware fef1582aa7fb15599bd48e6f077be4d1a577d3916cf2c2650893f0406ede8ea3 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

GHSA-JVWF-75H9-CWGG vulnerabilities

Vulnerabilities for packages: kubeflow-centraldashboard, gemini-cli, vitess, cadence-web, pulumi, librechat, renovate, homepage, kibana, opentelemetry-auto-instrumentations-node...

CVE-2026-44292 vulnerabilities

Vulnerabilities for packages: kubeflow-centraldashboard, gemini-cli, vitess, cadence-web, pulumi, librechat, renovate, homepage, kibana, opentelemetry-auto-instrumentations-node...

CVE-2026-44288 vulnerabilities

Vulnerabilities for packages: kubeflow-centraldashboard, gemini-cli, vitess, cadence-web, pulumi, librechat, renovate, homepage, kibana, opentelemetry-auto-instrumentations-node...

GHSA-Q6X5-8V7M-XCRF vulnerabilities

Vulnerabilities for packages: kubeflow-centraldashboard, gemini-cli, vitess, cadence-web, pulumi, librechat, renovate, homepage, kibana, opentelemetry-auto-instrumentations-node...

GHSA-FX83-V9X8-X52W vulnerabilities

Vulnerabilities for packages: kubeflow-centraldashboard, gemini-cli, vitess, cadence-web, pulumi, librechat, renovate, homepage, kibana, opentelemetry-auto-instrumentations-node...

CVE-2026-44289 vulnerabilities

Vulnerabilities for packages: kubeflow-centraldashboard, gemini-cli, vitess, cadence-web, pulumi, librechat, renovate, homepage, kibana, opentelemetry-auto-instrumentations-node...

CVE-2026-44290 vulnerabilities

Vulnerabilities for packages: kubeflow-centraldashboard, gemini-cli, vitess, cadence-web, pulumi, librechat, renovate, homepage, kibana, opentelemetry-auto-instrumentations-node...

GHSA-2PR8-PHX7-X9H3 vulnerabilities

Vulnerabilities for packages: kubeflow-centraldashboard, gemini-cli, vitess, cadence-web, pulumi, librechat, renovate, homepage, kibana, opentelemetry-auto-instrumentations-node...

CVE-2026-44293 vulnerabilities

Vulnerabilities for packages: kubeflow-centraldashboard, gemini-cli, vitess, cadence-web, pulumi, librechat, renovate, homepage, kibana, opentelemetry-auto-instrumentations-node...